Author: Paul Cronin, Co-Founder
Introduction
A good friend of mine recently told me of the horror of him trying to get motor insurance on a 2022 Lexus Hybrid. Like myself he’s a mature driver with a clean license and he was struggling to get insured on the vehicle with some companies refusing to quote.
Why? Well I suspect the reason is due to a well-known vulnerability with many Toyota/Lexus cars built from 2017/2022 which are easy to steal without a Toyota modification part fitted.
Certain Toyota/Lexus vehicles between 2017/2022 allow a thief from outside the vehicle to connect a small device via the front LCD headlight wires/front wheel well/front bumper. This then interacts with the cars CAN bus (Communications system within the car) that allows the car doors to open and for the car to start without a key.
The device along with others has been available to purchase on Telegram channels from “Auto locksmiths” for a long while and is currently relatively expensive at between £2500 – £4000 disguised as a Bluetooth JBL speaker, so when stopped the thieves are not going equipped to steal!
Operation
Ken Tindell and Ian Tabor have an awesome article on the technical details on how this attack is conducted on the CANIS Automotive Labs blog.
I was interested in who’s responsibility it is to make vehicle owners aware in the UK of security issues regarding motor vehicles (I’m not sure about other countries).
In the UK, if there is a safety concern with a vehicle we can easily do an online search for any issues with the vehicle, however this does not include any security issues.
I have also in the past received letters letting me know of safety updates from vehicle manufactures.
Toyota, to their credit, do have a post on their website which details the attack, however you would have had to know about this issue to have found it.
Armed with this information, my friend contacted his local Toyota dealership to ask about the retrospective CAN-Shield that can be fitted to his vehicle to stop the vulnerability. “Oh you know about this!” was the response from the Service manager. To be fair to Toyota they did not charge for fitting the shield to his vehicle.
Toyota is not the only manufacturer to have these kinds of issues; all are affected in one way or another by relay attacks or other methods. Most of these can be mitigated by software or hardware modifications to the vehicle.
I did contact the UK Department for Transport for a comment, as personally, I do think based on the fact that we have a UK national database on who owns vehicles they should in this day and age have the ability to email owners regarding security issues with vehicles.
Conclusion
So there is no process for alerting vehicle owners and as far as the UK DFT is concerned, this is down the vehicle manufacturer to communicate! ☹
Is this acceptable? Do the manufacturers proactively want to make their customers aware of security issues and get them fixed or is this a reflection of the software industry 20 years ago?
My friend did manage to get car insurance, however the Insurance company were not interested in the Can Shield or the fact that he had an additional ghost immobiliser fitted!
He’s just happy his car won’t be stolen easily now.